Thursday, September 12, 2019

Ubuntu Remote Desktop

I wanted to be able to access xfce desktop sessions remotely via the browser and via Windows Remote Desktop Connection.  These steps were performed on a clean install of Ubuntu after a user was added with sudo access but before the firewall was enabled.  Your results may differ.

Browser Remote Access By VPS Host 

My host is Interserver. Chances are, your VPS host, like Interserver already provides terminal access to your server. My first attempts failed because my keyboard and mouse were disabled preventing a simple log in in a GUI environment.  I finally figured out the steps to make it work. First step is to install xfce4:
$ sudo apt update
$ sudo apt install xfce4 xfce4-goodies
You need to have a windows manager installed.  I chose lightdm:
$ sudo apt install lightdm
Install kwallet packages
$ sudo apt-get install libpam-kwallet4 libpam-kwallet5
Start the lightdm service
$ sudo systemctl start lightdm 
Now when I access the server through the host's website I get a log-in with both the mouse and keyboard operating properly.  However, the login screen fails when you try to login. You can fix this by telling lightdm which desktop session you want to use. 
# nano /usr/share/lightdm/lightdm.conf.d/50-xfce-greeter.conf
Copy and paste the following into the file
Save the file.  Restart the lightdm service:
$ sudo systemctl restart lightdm
My only complaint is that the connection is a but sluggish.  The mouse movement is a bit jerky.  But, in a pinch it works.

Windows Remote Desktop Connection

You can access your VPS through the Windows Remote Desktop Connection. To connect you need to install xrdp.
$ sudo apt update
$ sudo apt install xrdp
You'll need to let the server know which desktop session you prefer to use.
$ nano ~/.xsession
Add the following to the file:
Save the file.
Add xrdp to ssl-cert group:
sudo adduser xrdp ssl-cert
Create .Xauthority file if missing or corrupt.  (Start SSH session with putty - with X11 forwarding enabled and X display location set to localhost)
# Rename the existing .Xauthority file by running the following command
mv .Xauthority old.Xauthority
# xauth with complain unless ~/.Xauthority exists
touch ~/.Xauthority

# only this one key is needed for X11 over SSH
xauth generate :0 . trusted

# generate our own key, xauth requires 128 bit hex encoding
xauth add ${HOST}:0 . $(xxd -l 16 -p /dev/urandom)

# To view a listing of the .Xauthority file, enter the following
xauth list
Reboot the server. Now open the Windows Remote Desktop, enter the ip address in the Computer box, then click connect.  After you connect start an Xorg session by entering your username and password.  You should connect to your desktop. If you have trouble connecting make sure you're not already signed in to another desktop session.


Connection via Windows Remote Desktop

Debian I was not able to connect.  After editing the following file I was able to connect.
$ sudo nano /etc/X11/Xwrapper.config
Change the following from console to anybody
$ allowed_users = anybody

gtk-warning ** cannot open display 10.0

I installed synaptic and got the cannot open display warning.  The warning did not occur if I logged in as root.  After much research I learned that in Debian, $XAUTHORITY is usually not set explicitly.  To correct for this I edited the .bashrc file in the users root directory
$ nano .bashrc
Add the following line:
Save the file.  In the remote desktop session, I used application finder to locate the synaptic launcher I prefixed sudo the command and checked the box under options to  run in terminal. Now when I click synaptic in the menu the terminal opens for authentication and the program opens as  expected.

NoVNC Remote Access

Desktop remote access through the VPS host was sluggish. You can also access the remote desktop via novnc.   The novnc connection was more responsive for me.  First install novnc, websockify, and python-numpy.
$ sudo apt -y install novnc websockify python-numpy
Then install a vncserver. I chose tightvncserver
$ sudo apt install tightvncserver
Create a self-signed certificate to make the session secure.
$ cd /etc/ssl
$ sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout novnc.pem -out novnc.pem -days 365
$ chmod 644 novnc.pem
Start vncserver.  The first time you will be prompted to enter a new password.
$ vncserver
If successful, vncserver start a session at port 5901.  If you need to end the session use the kill option.  The ':1" stands for port 5901.  A ':2' will stand for port 5902, and so on.
$ vncserver -kill :1
To start a vncsession specifically at port 5901, enter the following.
$ vncserver :1
Now were ready to start a websockify session. The following command assigns port 6080 as a proxy for port 5901 and signs in securely using the ssl certificate you previously established:
$ sudo websockify -D --web=/usr/share/novnc/ --cert=/etc/ssl/novnc.pem 6080 localhost:5901
You should get a session confirmation.
WebSocket server settings:
  - Listen on :6080
  - Flash security policy server
  - Web server. Web root: /usr/share/novnc
  - SSL/TLS support
  - Backgrounding (daemon)
Open the broswer and go to the following url.
If you get a warning that the site is unsecure click the links confirming you accept the risk.  sign in using the vnc password you chose during the initial vncserver setup.  If you get an error message try disabling "encrypt" (click the gear icon).  Once the connected there will be a blue bar at the top that tells you whether or not the connection is secure. If you still have problems connecting:

  • Make sure you are not already signed in the desktop (like through the VPS host or Windows Remote Desktop
  • Verify there is a running vncserver session at the port you're trying to access. 
  • Verify you have started a websockify session.
  • Verify the the port you're trying to access through the browser matches the websockify session.
  • Verify the lightdm service is running (sudo systemctl status lightdm)
  • If all else fails try rebooting.  You will need to start new vnc and websockify sessions.